Popular HTTPS sites still vulnerable to OpenSSL connection hijacking attack

Popular HTTPS sites still vulnerable to OpenSSL connection hijacking attack

A known critical vulnerability in OpenSSL can be exploited on over 20,000 of Internet's top 155,000 SSL sites, a researcher from Qualys said

By Lucian Constantin | Published: 15:20, 16 June 2014

Some of the Internet's most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections.

Until a few years ago, full-session encryption via HTTPS (HTTP with SSL) was mainly used by financial, e-commerce and other sites dealing with sensitive information. However, the increasing use of mobile devices that often connect over insecure wireless networks, coupled with the past year's revelations of upstream bulk data collection by spy agencies, led to a large number of sites adding support for it.

Heartbleed was just the beginning as more vulnerabilities appear

In the two months since the OpenSSL vulnerability known as Heartbleed hit the headlines and active solutions were offered to plug the security breach, more vulnerabilities have begun to surface.

The OpenSSL project has announced six additional vulnerabilities for the organization's cryptography platform, creating some concern that there are additional flaws yet to be uncovered. That latest batch of vulnerabilities include denial of service, information disclosure and potential remote code execution - all of which should be of a major concern to anyone protecting corporate IT resources.